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DETAILED ACTION 

Response to Arguments 

1 . In response to communications filed on 5/20/2004, Applicant cancels claims 5, 23, and 
40 and amends claims 1, 6, 19, 22, 24, 37, 38, and 43. Applicant adds claims 46-57. The 
following claims 1-4, 6-22, 24-39, 41-57 are presented for examination. 

2. The amendments to the specification, pages 20-23 and the abstract on page 24, filed on 
5/20/2004 have been considered. The objection to the specification and the drawing has been 
withdrawn with respect to the amended drawing and specifications. The objection to claims 22, 
37, and 43 has been withdrawn. 

3. Applicant's remarks, pages 25- 37, filed on 5/20/2004, with respect to the rejection of 
claims 1-45 have been fully considered, but are not persuasive. Regarding amended claims 1, 
19, and 38, Applicant states that Bapat does not disclose, "selecting based on the access request a 
selected set of rules". Examiner respectfully asserts that Bapat discloses the claimed invention 
as claimed. Bapat recites that when the user access request is a select statement, it invokes a 
control access procedure that uses a set of access rights stored in at least one permissions table. . . 
for instance (see claim 9) which meets the recitation of selecting set of rules. The Office action 
recites column 11, lines 51-67 and column 27 showing that the grant rules and deny rules meet 
the recitation of selected set of rules as disclosed by Bapat "this structure makes it easy to define 
set of access rules" (column 12, lines 1-5). Bapat also discloses performing the rules such as 
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global deny rule, targeted deny rules, global grant rules, targeted allow rules successively in that 
order that meets the recitation of sequentially performing rule operations in each rule. Applicant 
also states that there is no disregard instruction (terminating the performance of any remaining 
rule operations). Bapat discloses performing the steps of access control rules based on 
permission tables in a hierarchical order unless a grant or deny decision is reached in any one 
step, that meets the recitation of performing less than all rule operations . , . until reaching a 
disregard instruction thereby terminating any remaining rule operations. For instance, when 
reaching denying to all objects rule, there is no need to check denying to specific object rule. 

Applicant states that there is no indication of rules arranged in hierarchy. Examiner 
respectfully asserts that rules are processed in order as discussed above. Bapat states "access 
control database consists of hierarchy of objects", for example in column 5, line 19. Bapat also 
discloses in column 9, line 55 that rules are typically defined hierarchically with respect to 
groups. . . "the user group feature helps to greatly reduce the amount of data required to define 
each access rule" (lines 48-50). 

Regarding claim 8, Bapat provides an example in columns 26-28 showing how remaining 
rules do not need to be performed as described above. For example column 28, lines 42-56 
recite "if access to all objects specified in a query is denied, the query is denied without 
providing a detailed explanation to the user which meets the recitation of all other rules are 
disregarded. On the other hand if access to some object but not others is granted the access 
control procedure enables the user query to be executed on the objects which access is granted. 
See also column 29, line 60 through column 30, line 24. In another embodiment, Bapat also 
discloses "denying access to a user if any of the user's group is denied access to that object". 
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Regarding claim 13, the example 'Enforcing access control" involves conditional 
instruction that are performed in order; for example, a condition in step 1 must be met before 
step 2 that includes a disregard instruction is performed as explained above. 

Applicant has amended independent claims 1,19, and 38 to include the limitations of 
cancelled claims 5, 23, and 40 respectively. Applicant has not overcome the rejection of these 
claims as discussed above. Applicant also adds claims 46-57 with new limitations. Upon further 
consideration a new ground of rejection is made in view of Bhatt et aL Bhatt discloses the new 
limitations of claims 46-57. 

Claim Rejections - 35 USC § 112 

4. The following is a quotation of the second paragraph of 35 U.S.C. 1 12: 

The specification shall conclude with one or more claims particularly pointing out and 
distinctly claiming the subject matter, which the applicant regards as his invention. 

Claim 57 is rejected under 35 U.S.C. 112, second paragraph, as being indefinite for 

failing to particularly point out and distinctly claim the subject matter which applicant regards as 

the invention. 

4. 1 Claim 57 recites the limitation "wherein the performance of the IF-THEN operation. . .". 
There is insufficient antecedent basis for this limitation in the claim. 
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Claim Rejections - 35 USC § 102 

5. A person shall be entitled to a patent unless - 

(e) the invention was described in a patent granted on an application for patent by another 
filed in the United States before the invention thereof by the applicant for patent, or on an 
international application by another who has fulfilled the requirements of paragraphs (1), 
(2), and (4) of section 371(c) of this title before the invention thereof by the applicant for 
patent. 

The changes made to 35 U.S.C. 102(e) by the American Inventors Protection Act of 1999 
(AIPA) and the Intellectual Property and High Technical Amendments Act of 2002 do not 
apply when the reference is a U.S. patent resulting directly or indirectly from an international 
application filed before November 29, 2000. Therefore, the prior art date of the reference is 
determined under 35 U.S.C. 102(e) prior to the amendment by the AIPA (pre-AIPA 35 U.S.C. 
102(e)). 

5.1 Claims 1-45 are rejected under 35 U.S.C. 102(e) as being anticipated by US Patent 
6,236,996 to Bapat et aL 

5.2 As per claims 1, 19, and 38, Bapat et aL discloses a method and a system (see figure 3) 
that meets the recitation of the system of claim 19 comprising input/output interface, processor, 
memory system encoding with authorization program, authorization database, and 
interconnection mechanism coupling the above list, for providing access control in a computing 
system environment, the method comprising the steps of receiving an access request (see column 
11, lines 59); selecting, based on the access request, a selected set of rules containing at least one 
rule from at least one master set of rules (see column 11, lines 59-65 and column 13, lines 15- 
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57); and performing at least one rule operation in the at least one rule in the selected set of rules 
to produce an access control decision until at least one of: i) a rule operation including a 
disregard instruction is performed to limit performance of rule operations in the selected set of 
rules; and ii) all rule operations in the selected set of rules that are applicable to the access 
control decision are performed- (See column 11, lines 59-65 and column 13, lines 15-57). 

As per claims 2 and 20, Bapat et al. discloses the limitation of wherein the step of 
performing includes the step of producing an access control decision indicating whether to allow 
access, on behalf of a requestor submitting the access request, to an resource in the computing 
system environment (see column 11, lines 59-65 and column 13, lines 15-57). 

As per claims 3 and 21, Bapat et al. discloses the limitation of wherein the step of 
selecting includes the steps of determining an identity of the resource in the computing system 
environment to which access is requested in the access request; and applying at least one filter 
operation, using the identity of the resource, for rules in the at least one master set of rules to 
produce the selected set of rules for use in determining the access control decision to the resource 
(see column 14, lines 10-42). 

As per claims 4 and 22, Bapat et al. discloses the limitation of further including the step 
of determining a role identity of a requestor submitting the access request (see column 15, lines 
23-28 and column 16, lines 55-58); and wherein the step of applying applies the at least one filter 
operation, using the role identity of the requestor submitting the access request in combination 
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with the identity of the resource, for rules in the at least one master set of rules to produce the 
selected set of rules for use in determining the access control decision to the resource (see 
column 14, line 53 through column 15, line 10; see also column 16, line 55 through column 17, 
line 41). 

As per claims 5, 23, and 40, Bapat et aL discloses the limitation of wherein at least one 
rule in the selected set of rules contains a rule operation including an unconditional disregard 
instruction (see column 11, lines 1 1-23); and wherein the step of performing includes the steps of 
performing less than all rule operations defined within the at least one rule in the selected set of 
rules by sequentially performing rule operations in each rule in the selected set of rules until the 
unconditional disregard instruction is performed thereby terminating the performance of any 
remaining rule operations in the selected set of rules (see column 15, lines 28-34 and column 11, 
lines 1 1-23). (See also column 27, lines 50 et seq.). 

As per claims 6 and 24, Bapat et al. discloses the limitation of wherein the selected set 
of rules is arranged hierarchically such that rules containing rule operations that are more 
specific are performed before rule operations that are more general (see column 15, lines 28-34 
and column 1 1, lines 1 1-23). 

As per claims 7, 10, 25, 28, and 41, Bapat et al. discloses the limitation of wherein at 
least one rule in the selected set of rules contains a rule operation including a disregard 
instruction including disregard criteria; and wherein the step of performing limits performance of 



Application/Control Number: 09/6 11,913 Page 8 

Art Unit: 2136 

rule operations in the selected set of rules by performing the disregard instruction containing 
disregard criteria such that at least one rule operation in any remaining rule operations in the 
selected set of rules is disregarded from further performance (see column 26, line 51 through 
column 27, line 28). (See also column 27, lines 50 et seq.). 

As per claims 8, 11, 26, and 29, Bapat et al. discloses the limitation of wherein the step 
of performing includes the steps of evaluating the disregard criteria against any remaining 
unperformed rule operations in the selected set of rules; and marking any remaining unperformed 
rule operations in the selected set of rules that match the disregard criteria to be disregarded from 
further rule processing (see column 26, line 51 through column 27, line 28). 

As per claims 9, 27, and 39, Bapat et al. discloses the limitation of wherein the step of 
selecting includes the steps of determining an identity of a resource in the computing system 
environment to which access is requested in the access request (see column 26, lines 30-40); and 
applying at least one filter operation, using the identity of the resource, for rules in the at least 
one master set of rules to produce the selected set of rules for use in determining the access 
control decision to the resource (see column 26, line 51 through column 27, line 28); and 
wherein the method further includes the step of determining a role identity of a requestor 
submitting the access request (see column 26, lines 30-40); and wherein the step of performing 
sequentially processes each rule operation in the selected set of rules using the role identity of the 
requestor submitting the access request in combination with the identity of the resource to 
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determine if the requestor using the role identity can access the resource (see also column 27, 
lines 50 et seq.). 

As per claims 12 and 30, Bapat et al. discloses the limitation of wherein the selected set 
of rules is arranged hierarchically such that rules containing rule operations that are more 
specific are performed before rules containing rule operations that are more general such that 
placement of the disregard instruction in one of the at least one rules in the selected set of rules 
causes the step of performing to control an amount of access control provided to the requestor 
that submitted the access request for access to the resource (see column 15, lines 28-34 and 
column 11, lines 1 1-23; see also column 27, lines 50 et seq.). 

As per claims 13 and 31, Bapat et aL discloses the limitation of wherein the disregard 
instruction is a conditional instruction that has a condition that must be met before the disregard 
instruction is performed (see column 27, lines 50 et seq.). 

As per claims 14 and 32, Bapat et al. discloses the limitation of wherein at least one 
rule in the selected set of rules contains a relation that defines a condition based on a group 
definition; and wherein at least one of the steps of selecting and performing includes the step of 
performing the relation to determine if at least one of a requestor, an access, and a resource 
specified in the access request satisfy the condition based on the group definition (see column 26, 
lines 30-67). 
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As per claims 15, 33, and 43, Bapat et al. discloses method for determining an 
authorization state of an access control system in a computing system environment, the method 
comprising the steps of receiving an access request (see column 27, lines 45-49); determining at 
least one of: i) an identity of the resource in the computing system environment to which the 
access request is directed (see column 26, lines 30-40); and ii) a role identity of a requestor 
submitting the access request; and applying at least one filter operation, based on at least one of 
the identity of the resource and the role identity of a requestor, to an at least one master set of 
rules to produce a list of rules to which the at least one filter operation matches in order to 
provide an indication of the authorization state of an access control system in a computing 
system environment as related to at least one of the identity of the resource and the role identity 
of a requestor (see column 26, lines 30-40 and column 27, lines 50 et seq.). 

As per claims 16 and 34, Bapat et al. discloses the limitation of wherein the step of 
applying at least one filter operation applies a filter operation to determine what rules in the at 
least one master set of rules affect access to what resource in the computing system environment 
(see column 26, line 51 through column 27, line 28 and column 27, lines 50 et seq.). 

As per claims 17, 35, and 42, Bapat et al. discloses the limitation of wherein the step of 
applying at least one filter operation applies a filter operation to determine what rules in the at 
least one master set of rules affect what at least one requestor can do to at least one resource in 
the computing system environment (see column 26, line 51 through column 27, line 28 and 
column 27, lines 50 et seq.). 



Application/Control Number: 09/61 1,9 13 
Art Unit: 2136 



Page 1 1 



As per claims 18 and 36, Bapat et aL discloses the limitation of wherein the step of 
applying at least one filter operation applies a filter operation to determine access control 
operations that a requestor can do to at least one resource in the computing system environment 
(see column 26, line 51 through column 27, line 28 and column 27, lines 50 et seq.) 

As per claims 37 and 44, Bapat et al. discloses method providing access control to an 
resource in a computing system environment, the method comprising the steps of receiving an 
access request from a requestor requesting access to a resource in the computing system 
environment and determining a role identity associated with the requestor requesting access to 
the resource (see column 26, lines 30-40); and processing the access request in relation to a rule 
set based on an identity of the resource in the computing system environment to which the 
requestor requested access and based on the role identity associated with the requestor to 
determine if the requestor is allowed access the resource (see column 26, line 51 through column 
27, line 28 and column 27, lines 50 et seq.); and wherein the rule set includes a plurality of rules, 
each rule including a filter operation, and wherein the step of processing determines if a rule 
applies to the resource in the computing system environment to which the requestor requested 
access based on the filter operation (see column 26, line 51 through column 27, line 28 and 
column 27, lines 50 et seq.); and wherein at least one rule in the rule set includes a disregard 
instruction, and wherein if the step of processing determines, based on the filter operation that 
the rule including the disregard instruction applies to the resource in the computing system 
environment to which the requestor requested access, the step of processing processes the rule 
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including the disregard instruction to limit performance of any remaining rule operations in the 
selected set of rules (see column 26, line 51 through column 27, line 28 and column 27, lines 50 
et seq.). 

As per claim 45, Bapat et aL discloses a method for controlling applicability of rule 
operations in a rule-based access control system, the method comprising the step of selecting at 
least one rule for performance to determine an access control decision; and performing a rule 
operation in the at least one rule, the rule operation including a disregard instruction that when 
performed, causes non-performance of at least one other rule operation in at least one rule that is 
selected for performance to determine the access control decision (see column 26, line 51 
through column 27, line 28 and column 27, lines 50 et seq.)- 

6. Claims 52-56 are rejected under 35 U.S. C. 102(e) as being anticipated by US Patent 
6,502,093 to Bhatt et aL 

6. 1 As per claim 45, Bhatt et al. discloses receiving an access request; selecting 
subscription rule or array of rules containing multiple rules against stored subscription rules, and 
the subscription rule is performed in sequential order as shown in the example in columns 5-6 
that meets the recitation of wherein the step of selecting a set of rules from at least one master set 
of rules includes selecting a set of rules containing multiple rules from at least one master set of 
rules, at least one of the multiple rules including multiple rule operations to be performed in 
sequential order, for example (see column 5, lines 1-16 and column 6, lines 26-46), the method 
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further comprising: for a given rule of the multiple rules: performing a filter operation associated 
with the given rule to identify whether to execute any rule operations in the given rule; and 
performing at least a portion of the multiple rule operations in sequential order to determine 
whether to provide access to a storage system in response to receiving the access request, for 
example (see column 6, line 26 through column 7, line 10). 

As per claim 53, Bhatt et al. discloses the limitation of wherein the filter operation is an 
IF-THEN operation and performance of the IF-THEN operation provides an indication whether 
to perform at least one of the multiple rule operations in the given rule, for example (see column 
5, line 50 through column 6, line 46). 

As per claims 54-55, Bhatt et al. discloses the limitation of wherein performing at least 
a portion of the multiple rule operations in the given rule includes: performing a disregard 
instruction in the given rule that limits performance of other rule operations in the given rule, 
wherein the disregard instruction is a conditional disregard instruction, which when executed 
limits a performance of other rule operations in the given rule depending on occurrence of a 
corresponding condition, for example (see column 5, lines 1-16 and column 6, lines 50-67). 

As per claim 56, Bhatt et al. discloses the limitation of further comprising: performing 
at least one other rule operation in the given rule after performing a conditional disregard 
instruction, for example (see column 6, lines 50-67). 
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Claim Rejections - 35 USC § 103 

7. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or 
described as set forth in section 102 of this title, if the differences between the subject matter 
sought to be patented and the prior art are such that the subject matter as a whole would have 
been obvious at the time the invention was made to a person having ordinary skill in the art to 
which said subject matter pertains. Patentability shall not be negatived by the manner in which 
the invention was made. 

7. 1 Claims 46-51 and 57 are rejected under 35 U.S.C. 103(a) as being unpatentable over US 
Patent 6,236,996 to Bapat et aL in view of US Patent 6,502,093 to Bhatt et al.. 

7.2 As per claim 46, Bapat et aL substantially teaches the claimed method of claimed 1. 
Bapat et aL discloses when the user access request is a select statement, it invokes a control 
access procedure that uses a set of access rights stored in at least one permissions table. . . for 
instance (see claim 9) which meets the recitation of selecting set of rules. The Office action 
recites column 1 1, lines 51-67 and column 27 showing that the grant rules and deny rules meet 
the recitation of selected set of rules as disclosed by Bapat et aL "this structure makes it easy to 
define set of access rules" (column 12, lines 1-5). Bapat et aL discloses permission tables with 
multiple rules and the deny entries and grant entries are performed in order in column 27, lines 
45 through column 28, line 55. Bapat discloses performing a filter operation associated with the 
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given rule to identify whether to execute any rule operations in the given rule; and performing at 
least a portion of the multiple rule operations in sequential order to determine whether to provide 
access to a storage system in response to receiving the access request, for example (see column 
27, lines 45 through column 28, line 55). Bhatt et aL in an analogous art teaches selecting 
subscription rule or array of rules containing multiple rules against stored subscription rules, and 
the subscription rule is performed in sequential order as shown in the example in columns 5-6 
that meets the recitation of wherein the step of selecting a set of rules from at least one master set 
of rules includes selecting a set of rules containing multiple rules from at least one master set of 
rules, at least one of the multiple rules including multiple rule operations to be performed in 
sequential order, for example (see column 5, lines 1-16 and column 6, lines 26-46), the method 
further comprising: for a given rule of the multiple rules: performing a filter operation associated 
with the given rule to identify whether to execute any rule operations in the given rule; and 
performing at least a portion of the multiple rule operations in sequential order to determine 
whether to provide access to a storage system in response to receiving the access request, for 
example (see column 6, line 26 through column 7, line 10). Bhatt et aL discloses a relational 
database system that is advantageous as it can be used for sophisticated filtering of rules and all 
standard database features are supported. Also, the invention can be used for request of 
messages as well as to produce messages, for example (see column 2, lines 64 through column 3, 
line 37). Therefore, it would have been obvious to one of ordinary skill in the art at the time the 
invention was made to modify the method of Bapat et al. to provide a relational database system 
as taught by Bhatt et aL. This modification would have been obvious because one skilled in the 
art would have been motivated by the suggestions provided by Bhatt et aL so as to provide a 
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relational database system that can be used for sophisticated filtering of rules and all standard 
database features are supported and can be used for request of messages as well as to produce 
messages. 

As per claim 47, Bapat et al. substantially teaches the limitation of wherein the filter 
operation is an IF-THEN operation and performance of the IF-THEN operation provides an 
indication whether to perform at least one of the multiple rule operations in the given rule, for 
example (see column 13, line 31-40 and column 27, lines 45 through column 28, line 55). Bhatt 
et al. also discloses wherein the filter operation is an IF-THEN operation and performance of the 
IF-THEN operation , for example (see column 5, line 50 through column 6, line 46). 

As per claims 48-49, both references teach the limitation of wherein performing at least 
a portion of the multiple rule operations in the given rule includes: performing a disregard 
instruction in the given rule that limits performance of other rule operations in the given rule, 
wherein the disregard instruction is a conditional disregard instruction, which when executed 
limits a performance of other rule operations in the given rule depending on occurrence of a 
corresponding condition. Bapat et al. discloses performing the steps of access control rules 
based on permission tables in a hierarchical order unless a grant or deny decision is reached in 
any one step, that meets the recitation of performing less than all rule operations . . . until 
reaching a disregard instruction thereby terminating any remaining rule operations. For instance, 
when reaching denying to all objects rule, there is no need to check denying to specific object 
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rule, for example (see Bapat et al., column 27, lines 45 through column 28, line 55). See also 
for example (Bhatt et al., column 5, lines 1-16 and column 6, lines 50-67). 

As per claim 50, Bhatt et al. discloses the limitation of further comprising: performing 
at least one other rule operation in the given rule after performing a conditional disregard 
instruction, for example (see column 6, lines 50-67). Therefore, claim 50 is rejected on the 
same rationale as the rejection of claim 46. 

As per claims 51 and 57, Bapat et al. discloses the limitation of wherein performance of 
the IF-THEN operation includes identifying whether an application generating the access request 
uses a particular resource in the storage system as well as whether a requestor associated with the 
access request is a member of a particular specified group and, if so, performing the rule 
operations in the given rule, for example (see column 9, lines 45-61 and column 18, lines 19- 
27). 

Conclusion 

8. Applicant's amendment necessitated the new ground(s) of rejection presented in this 
Office action. Accordingly, THIS ACTION IS MADE FINAL See MPEP § 706.07(a). 
Applicant is reminded of the extension of time policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within TWO 
MONTHS of the mailing date of this final action and the advisory action is not mailed until after 



Application/Control Number: 09/6 11,913 



Page 18 



Art Unit: 2136 

the end of the THREE-MONTH shortened statutory period, then the shortened statutory period 
will expire on the date the advisory action is mailed, and any extension fee pursuant to 37 
CFR 1 . 1 36(a) will be calculated from the mailing date of the advisory action. In no event, 
however, will the statutory period for reply expire later than SIX MONTHS from the date of this 
final action. 

8.1 Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Carl Colin whose telephone number is 703-305-0355. The 
examiner can normally be reached on Monday through Thursday, 8:00-6:30 PM. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Ayaz Sheikh can be reached on 703-305-9648. The fax phone number for the 
organization where this application or proceeding is assigned is 703-872-9306. 

Any inquiry of a general nature or relating to the status of this application or proceeding 
should be directed to the receptionist whose telephone number is 703-305-3900. 





Carl Colin 



Patent Examiner 



August 4, 2004 



